This Page Is Inserted by IFW Operations 
and is not a part of the Official Record 



BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of 
the original documents submitted by the applicant. 

Defects in the images may include (but are not limited to): 

• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR SIDES 

• FADED TEXT 

• ILLEGIBLE TEXT 

• SKEWED/SLANTED IMAGES 

• COLORED PHOTOS 

• BLACK OR VERY BLACK AND WHITE DARK PHOTOS 

• GRAY SCALE DOCUMENTS 



IMAGES ARE BEST AVAILABLE COPY, 



As rescanning documents will not correct images, 
please do not report the images to the 
Image Problem Mailbox, 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCX 

INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



(51) International Patent Classification 6 ; 
H04L 29/06 



Al 



(11) International Publication Number: WO 99/57866 

(43) International Publication Date: 1 1 November 1 999 ( U . 1 1 .99) 



(21) International Application Number: PCT/US99/09362 

(22) International FUing Date: 29 April 1999 (29.04.99) 



(30) Priority Data: 
60/084,014 
09/295,966 



4 May 1998 (04.05.98) US 
21 April 1999 (21.04.99) US 



(71) Applicant; AURIC WEB SYSTEMS [US/US]; Suite 300. 3452 
East Foothill Boulevard. Pasadena, CA 91 107 (US). 

(72) Inventors: IKUDOME, Koichiro; 857 Volantc, Arcadia. CA 
91007 (US). YEUNG, Moon, Tai; Apartment D, 819 North 
First Street, Alhambra, CA 91801 (US). 

(74) Agent: MONROE, Wesley, W.; Christie, Parker & Hale, 
L.LP., P.O. Box 7068. Pasadena, CA 91 109-7068 (US). 



(81) Designated States: CA, JP, European patent (AT, BE, CH, CY, 
DE, DK, ES, Fl. PR, GB. GR, IE, IT, LU, MC. NL. PT. 
SE). 



Published 

With international search report. 

Before the expiration of the time limit for amending the 
claims and to be republished in the event of the receipt of 
amendments. 



(54) Title: USER SPECIFIC AUTOMATIC DATA REDIRECTION SYSTEM 



100 




(57) Abstract 

A data redirection system for redirecting user's data based on a stored rule set. The redirection of data is performed by a redirection 
server, which receives . the redirection rules sets for each user from an authentication and accounting server, and a database. Prior to 
using the system, usere authenticate with the authentication and accounting server, and receive a network address. The authentication and 
accounting server retrieves the proper rule set for the user, and communicates the rule set and the user's address to the redirection server. 
The redirection server then implements the redirection rule set for the user's address. Rule sets arc removed from the redirection server 
either when the user disconnects, or based on some predetermined event. New rule sets are added to the redirection server either when a 
user connects, or based on some predetermined event. 



NSDOCID: <WO„9957e66A1J_> 



FOR THE PURPOSES OF INFORMATION ONLY 
Codes used to identify States party to the PCT on the front pages of pamphlets publishing international applications under the PCT. 



AL 


Albania 


ES 


Spain 


LS 


Lesotho 


SI 


Slovenia 


AM 


Amienia 


FI 


Finland 


LT 


Lithuania 


SK 


Slovakia 


AT 


Austria 


PR 


France 


LV 


Luxembourg 


SN 


Senegal 


AU 


Australia 


GA 


Gabon 


LV 


Latvia 


SZ 


Swaziland 


AZ 


Azerbaijan 


GB 


United Kingdom 


MC 


Monaco 


TD 


Chad 


BA 


Bosnia and Herzegovina 


GE 


Georgia 


MD 


Republic of Moldova 


TG 


Togo 


BB 


Barbados 


GH 


Ghana 


MG 


Madagascar 


TJ 


Tajikistan 


BE 


Belgium 


GN 


Guinea 


MK 


The former Yugoslav 


TM 


T\irkmenistan 


BF 


Burtcina Faso 


GR 


Greece 




Republic of Macedonia 


TR 


Turkey 


EC 


Bulgaria 


HU 


Hungary 


ML 


Mali 


TT 


Trinidad and Tobago 


BJ 


Benin 


IE 


Ireland 


MN 


Mongolia 


UA 


Ukraine 


BR 


Brazil 


IL 


Israel 


MR 


Mauritania 


UG 


Uganda 


BY 


Belarus 


IS 


Iceland 


MW 


Malawi 


US 


United States of America 


CA 


Canada 


!T 


Italy 


MX 


Mexico 


uz 


Uzbekistan 


CF 


Central African Republic 


JP 


Japan 


NE 


Niger 


VN 


Vict Nam 


CC 


Congo 


KB 


Kenya 


NL 


Netherlands 


VU 


■ Yugoslavia 


CH 


Switzeriand 


KG 


Kyigyzstan 


NO 


Norway 


zw 


Zimbabwe 


CI 


Cdte d'lvoire 


KP 


Democratic People's 


NZ 


New Zealand 






CM 


Cameroon 




Republic of Korea 


PL 


Poland 






CN 


China 


KR 


Republic of Korea 


PT 


Portugal 






cu 


Cuba 


KZ 


Kazalcstan 


RO 


Romania 






cz 


Czech Republic 


LC 


Saint Lucia 


RU 


Russian Federation 






DE 


Germany 


LI 


Liechtenstein 


SD 


Sudan 






DK 


Denmaifc 


LK 


Sri Lanka 


SE 


Sweden 






EE 


Estonia 


LR 


Liberia 


SG 


Singapore 







NSDOC1D; <WO 9957866A1J_> 



wo 99/57866 PCT/US 99/09362 

I USER SPECIFIC AUTOMATIC DATA REDIRECTION SYSTEM 

FIELD OF THE INVENTION 

This, invention relates to the field of Internet communications, more particularly, to a 
5 database system for use in dynamically redirecting and filtering Internet traffic. 

BACKGROUND OF THE INVENTION 

In prior art systems as shown in FIG. 1 when an Internet user establishes a connecdon 
with an Internet Service Provider (ISP), the user first makes a physical connection between their 

1 0 computer 100 and a dial-up networking server 102, the user provides to the dial-up networking 
server their user ID and password. The dial-up networking server then passes the user ID and 
password, along with a temporary Intemet Protocol (IP) address for use by the user to the ISP's 
authentication and accoimting server 1 04. A detailed description of the IP communications 
protocol is discussed in Internetworking with TCP/IP, 3rd ed., Douglas Comer, Prentice Hall, 

15 1 995, which is fiilly incorporated herein by reference. The authentication and accounting server, 
upon verification of the user ID and password using a database 1 06 would send an authorization 
message to the dial-up networking server 102 to allow the user to use the temporary IP address 
assigned to that user by the dial-up networking server and then logs the connection and assigned 
IP address. For the duration of that session, whenever the user would make a request to the 

20 Intemet 11 0 via a gateway 1 08, the end user would be identified by the temporarily assigned IP 
address. 

The redirection of Intemet traffic is most often done with Worid Wide Web (WWW) 
traffic (more specifically, traffic using the HTTP (hypertext transfer protocol)). However, 
redirection is not limited to WWW traffic, and the concept is valid for all IP services. To 

25 illustrate how redirection is accomplished, consider the following example, which redirects a 
user's request for a WWW page (typically an html (hypertext markup language) file) to some 
other WWW page. First, the user instructs the WWW browser (typically software mnning on 
the user's PC) to access a page on a remote WWW server by typing in the URL (universal 
resource locator) or clicking on a URL link. Note that a URL provides information about the 

30 communications protocol, the location of the server (typically an Intemet domain name or IP 
address), and the location of the page on the remote server. The browser next sends a request 
to the server requesting the page. In response to the user's request, the web server sends the 
requested page to the browser. The page, however, contains html code instmcting the browser 
to request some other WWW page - hence the redirection of the user begins. The browser then 

35 requests the redirected WWW page according to the URL contained in the first page's html code. 
Alternately, redirection can also be accomplished by coding the page such that it instructs the 
browser to run a program, like a Java applet or the like, which then redirects the browser. One 
disadvantage with cturent redirection technology is that control of the redirection is at the remote 
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1 end, or WWW server end - and not the local, or user end. That is to say that the redirection is 

performed by the remote server, not the user's local gateway. 

Filtering packets at the Internet Protocol (IP) layer has been possible using a firewall 
device or other packet filtering device for several years. Although packet filtering is most often 

5 used to filter packets coming into a private network for security purposes, once properly 

programed, they can filter outgoing packets sent firom users to a specific destination as well. 
Packet filtering can distinguish, and filter based on, the type of IP service contained within an 
IP packet. For example, the packet filter can determine if the packet contains FTP (file transfer 
protocol) data, WWW data, or Telnet session data. Service identification is achieved by 

1 0 identifying the terminating port number contained v^thin each IP packet header. Port niunbers 
are standard within the industry to allow for interoperability between equipment. Packet filtering 
devices allow network administrators to filter packets based on the source and/or destination 
information, as well as on the type of service being transmitted within each IP packet. Unlike 
redirection technology, packet filtering technology allows control at the local end of the network 

1 5 cormection, typically by the network administrator. However, packet filtering is very limited 
because it is static. Once packet filtering rule sets are programed into a firewall or other packet 
filter device, the rule set can only be changed by manually reprogramming the device. 

Packet filter devices are often used with proxy server systems, which provide access 
control to the Internet and are most often used to control access to the world wide web. In a 

20 typical configuration, a firewall or other packet filtering device filters all WWW requests to the 
Internet from a local network, except for packets fi-om the proxy server. That is to say that a 
packet filter or firewall blocks all traffic originating fi*om within the local network which is 
destined for connection to a remote server on port 80 (the standard WWW port number). 
However, the packet filter or firewall permits such traffic to and fi*om the proxy server. 

25 Typically, the proxy server is programed with a set of destinations that are to be blocked, and 
packets destined for blocked addresses are not forwarded. When the proxy server receives a 
packet, the destination is checked against a database for approval. If the destination is allowed, 
the proxy server simply forwards packets between the local user and the remote server outside 
the firewall. However, proxy servers are limited to either blocking or allowing specific system 

30 terminals access to remote databases, 

A recent system is disclosed in U.S. patent No. 5,696,898. This patent discloses a system, 
similar to a proxy server, that allows network administrators to restrict specific IP addresses 
inside a firewall firom accessing information firom certain public or otherwise uncontrolled 
databases (i.e., the WWW/Intemet). According to the disclosure, the system has a relational 

35 database which allows network administrators to restrict specific terminals, or groups of 
terminals, fi*om accessing certain locations. Similarly limited as a proxy server, this invention 
can only block or allow terminals' access to remote sites. This system is also static in that rules 
programmed into the database need to be reprogramming in order to change which locations 
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1 Specific terminals may access. 

SUMMARY OF THE INVENTION 

The present invention allows for creating and implementing dynamically changing rules, 

5 to allow the redirection, blocking, or allowing, of specific data traffic for specific users, as a 

function of database entries and the user's activity. In certain embodiments according to the 
present invention, when the user connects to the local network, as in the prior art system, the 
user's ID and password are sent to the authentication accounting server. The user ED and 
password are checked against information in an authentication database. The database also 

1 0 contains personalized filtering and redirection information for the particular user ID. During the 
connection process, the dial-up network server provides the authentication accounting server 
with the IP address that is going to be temporarily assigned to the user. The authentication 
accounting server then sends both the user's temporary IP address and all of the particular user's 
filter and redirection information to a redirection server. The IP address temporarily assigned 

1 5 to the end user is then sent back to the end user for use in connecting to the network. 

Once connected to the network, all data packets sent to, or received by, the user include 
the user's temporary IP address in the IP packet header. The redirection server uses the filter and 
redirection information supplied by the authentication accounting server, for that particular IP 
address, to either allow packets to pass through the redirection server unmolested, block the 

20 request all together, or modify the request according to the redirection information. 

When the user terminates the connection with the network, the dial-up network server 
informs the authentication accounting server, which in turn, sends a message to the redirection 
server telling it to remove any remaining filtering and redirection information for the terminated 
user's temporary IP address. This then allows the dial-up network to reassign that IP address to 

25 another user. In such a case, the authentication accounting server retrieves the new user's filter 
and redirection information fi-om the database and passes it, with the same IP address which is 
now being used by a different user, to the redirection server. This new user's filter may be 
different from the first user's filter. 

30 BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. I is a block diagram of a typical Internet Service Provider environment. 
FIG. 2 is a block diagram of an embodiment of an Internet Service Provider environment 
with integrated redirection system. 

3 5 DETAILED DESCRIPTION OF THE INVENTION 

In the following embodiments of the invention, common reference numerals are used to 
represent the same components. If the features of an embodiment are incorporated into a single 
system, these components can be shared and perform all the functions of the described 
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embodiments. 

FIG 2. shows a typical Internet Service Provider (ISP) environment with integrated user 
specific automatic data redirection system. In a typical use of the system, a user employs a 
personal computer (PC) 100, which coiinects to the network. The system employs: a dial-up 
network server 102, an authentication accounting server 204, a database 206 and a redirection 
server 208. 

The PC 100 first connects to the dial-up network server 1 02. The connection is typically 
created using a computer modem, however a local area network (LAN) or other communications 
link can be employed. The dial-up network server 102 is used to establish a communications 
link with the user's PC 100 using a standard commimications protocol. In the preferred 
embodiment Point to Point Protocol (PPP) is used to establish the physical link between the PC 
100 and the dial-up network server 102, and to dynamically assign the PC 100 an IP address 
from a list of available addresses. However, other embodiments may employ different 
communications protocols, and the IP address may also be permanently assigned to the PC 100. 
1 5 Dial-up network servers 102, PPP and dynamic IP address assignment are well known in the art. 

An authentication accounting server with Auto-Navi component (hereinafter, 
authentication accounting server) 204 is used to authenticate user ID and permit, or deny, access 
to the network. The authentication accounting server 204 queries the database 206 to determine 
if the user ID is authorized to access the network. If the authentication accounting server 204 
20 determines the user ID is authorized, the authentication accounting server 204 signals the dial-up 
network server 102 to assign the PC 100 an IP address, and the Auto-Navi component of the 
authentication accounting server 204 sends the redirection server 208 (1) the filter and 
redirection information stored in database 206 for that user ID and (2) the temporarily assigned 
IP address for the session. One example of an authentication accounting server is discussed in 
25 U.S. Patent No. 5,845,070, which is fully incorporated here by reference. Other types of 
authentication accounting servers are known in the art. However, these authentication 
accounting servers lack an Auto-Navi component. 

The system described herein operates based on user Id's supplied to it by a computer 
Thus the system does not "know" who the human being "user" is at the keyboard of the computer 
30 that supplies a user ID. However, for the purposes of this detailed description, "user" will often 
be used as a short hand expression for "the person supplying inputs to a computer that is 
supplying the system with a particular user ID." 

The database 206 is a relational database which stores the system data. FIG. 3 shows one 
embodiment of the database structure. The database, in the preferred embodiment, includes the 
35 following fields: a user account number, the services allowed or denied each user (for example: 
e-mail, Tehiet, FTP, WWW), and the locations each user is allowed to access. 

Rule sets are employed by the system and are imique for each user ID, or a group of tiser 
ID'S, The rule sets specify elements or conditions about the user's session. Rule sets may 
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1 contain data about a type of service which may or may not be accessed, a location which may 

or may not be accessed, how long to keep the rule set active, under what conditions the rule set 
should be removed, when and how to modify the rule set during a session, and the like. Rule sets 
may also have a preconfigured maximum, lifetime to ensure their removal from the system. 

5 The redirection server 208 is logically located between the user's computer 100 and the 

network, and controls the user's access to the network. The redirection server 208 performs all 
the central tasks of the system. The redirection server 208 receives information regarding newly 
established sessions from the authentication accounting server 204. The Auto-Navi component 
of the authentication accounting server 204 queries the database for the rule set to apply to each 

10 new session, and forwards the rule set and the currently assigned IP address to the redirection 
sen/er 208. The redirection server 208 receives the IP address and rule set, and is programed to 
implement the rule set for the IP address, as well as other attendant logical decisions such as: 
checking data packets and blocking or allowing the packets as a function of the rule sets, 
performing the physical redirection of data packets based on the rule sets, and dynamically 

1 5 changing the mle sets based on conditions. When the redirection server 208 receives information 
regarding a terminated session from the authentication accotinting server 204, the redirection 
server 208 removes any outstanding rule sets and information associated with the session. The 
redirection server 208 also checks for and removes expired rule sets from time to time. 

In an alternate embodiment, the redirection server 208 reports all or some selection of 

20 session information to the database 206. This information may then be used for reporting, or 
additional rule set generation- 
System Features Overview 

In the present embodiment, each specific user may be limited to, or allowed, specific IP 

25 services, such as WWW, FTP and Telnet. This allows a user, for example, WWW access, but 
not FTP access or Telnet access. A user's access can be dynamically changed by editing the 
user's database record and commanding the Auto-Navi component of the authentication 
accounting server 204 to transmit the user's new rule set and current IP address to the redirection 
server 208. 

30 A user's access can be "locked" to only allow access to one location, or a set of locations, 

without affecting other users' access. Each time a locked user attempts to access another 
location, the redirection server 208 redirects the user to a default location. In such a case, the 
redirection server 208 acts either as proxy for the destination address, or in the case of WWW 
traffic the redirection server 208 replies to the user's request with a page containing a redirection 

35 command. 

A user may also be periodically redirected to a location, based on a period of time or some 
other condition. For example, the user will first be redirected to a location regardless of what 
location the user attempts to reach, then permitted to access other locations, but every ten 
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1 minutes the user is automatically redirected to the first location. The redirection server 208 

accomplishes such a rule set by setting an initial temporary rule set to redirect all traffic; after 
the user accesses the redirected location, the redirection server then either replaces the temporary 
rule set with the user's standard rule set or removes the rule set altogether from the redirection 

5 server 208. After a certain or variable time period, such as ten minutes, the redirection server 
208 reinstates the rule set again. 

The following steps describe details of a typical user session: 
• A user connects to the dial-up networic server 102 through computer 100. 
1 0 • The user inputs user ID and password to the dial-up network server 1 02 using computer 1 00 
which forwards the information to the authentication accounting server 204 
The authentication accounting server 204 queries database 206 and performs validation 
check of user ID and password. 

Upon a successful user authentication, the dial-up network server 102 completes the 
15 negotiation and assigns an IP address to the user. Typically, the authentication accounting 

server 204 logs the connection in the database 206. 

The Auto-Navi component of the authentication accoimting server 204 then sends both the 
user's rule set (contained in database 206) and the user's IP address (assigned by the dial-up 
network server 102) in real time to the redirection server 208 so that it can filter the user's 
20 IP packets. 

The redirection server 208 programs the rule set and IP address so as to control (filter, block, 
redirect, and the like) the user's data as a fimction of the rule set. 

The following is an example of a typical user's rule set, attendant logic and operation: 
25 If the rule set for a particular user (i.e., user UserID-2) was such as to only allow that user 

to access the web site www.us.com, and permit Telnet services, and redirect all web access from 
any server at xyz.com to vmw.us.com, then the logic would be as follows: 

30 



35 
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The database 206 would contain the following record for user UserID-2: 



ID UserID-2 
Password: secret 



################ 
### Rule Sets ### 

#service rule expire 
http www.usxom 0 

http ♦.xyz.com=>www.us.com 0 



♦ the user initiates a session, and sends the correct user ID and password (UserID-2 and secret) 
to the dial-up network server 102. As both the user ID and password are conrect, the 
authentication accounting server 204 authorizes the dial-up network server 102 to establish a 
session. The dial-up network server 1 02 assigns UserID-2 an IP address (for example, 10.0.0. 1) 
to the user and passes the IP address to the authentication accounting server 204. 

• The Auto-Navi component of the authentication accounting server 204 sends both the user's 
rule set and the user's IP address (10.0.0.1) to the redirection server 208. 

The redirection server 208 programs the rule set and IP address so as to filter and redirect 
the user's packets according to the rule set. The logic employed by the redirection server 208 
to implement the rule set is as follows: 

IF source IP-address = 10.0.0.1 AND 

( ((request type = HTTP) AND (destination address = www.usxom) ) OR 

(request type = Telnet) 
) THEN ok. 

IF source IP-address = 10.0-0.1 AND 

( (request type = HTTP) AND (destination address = *. xyz.com) 
) THEN (redirect = v^^ww.us.com) 

The redirection server 208 monitors all the IP packets, checking each against the rule set. 
In this situation, if IP address 10.0.0.1 (the address assigned to user ID UserID-2) attempts to 
send a packet containing HTTP data (i.e., attempts to connect to port 80 on any machine within 
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1 the xyz.com domain) the traffic is redirected by the redirection server 208 to www.usxom. 

Similarly, if the user attempts to connect to any service other then HTTP at www.usxom or 
Tehiet anywhere, the packet wili simply be blocked by the redirection server 208. 

When the user logs out or disconnects firom the system, the redirection server will remove 

5 all remaining rule sets. 

The following is another example of a typical user's rule set, attendant logic and operation: 

If the rule set for a particular user (i.e., user UserID-3) was to force the user to visit the 
1 0 web site www.widgetselLcom, first, then to have unfettered access to other web sites, then the 
logic would be as follows: 

The database 206 would contain the following record for user UserID-3: 



15 



25 



ID UserID-3 
Password: top-secret 



II M II II II 11 II II II II II II II II H II 

20 Rule Sets ### 

jT TTttTT ttTtttTT TTTTtT if tl It II II 



#service rule expire 
http *=>v/ww. widgetsell.com Ix 



the user initiates a session, and sends the correct user ID and password (UserID-3 and top- 
secret) to the dial-up network server 102. As both the user ID and password are correct, the 
authentication accounting server 204 authorizes the dial-up network server 1 02 to establish a 
session. The dial-up network server 102 assigns user ID 3 an IP address (for example, 10.0.0.1) 
to the user and passes the IP address to the authentication accounting server 204. 

The Auto-Navi component of the authentication accounting server 204 sends both the 
user's rule set and the user's IP address (10.0.0.1) to the redirection server 208. 

■^^ • The redirection server 208 programs the rule set and IP address so as to filter and redirect 
the user's packets according to the rule set. The logic employed by the redirection server 208 
to implement the rule set is as follows: 
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1 IF source IP-address = 10.0.0.1 AND 

(request type = HTTP) THEN (redirect = www.widgetsell.com) 

THEN SET NEW RULE 

5 IF source IP-address - 1 0,0.0. 1 AND 

(request type = HTTP) THEN ok. 

The redirection server 208 monitors all the IP packets, checking each against the rule set. 
In this situation, if IP address 10.0.0.1 (the address assigned to user ID UserID-3) attempts to 
10 send a packet containing HTTP data (i.e., attempts to connect to port 80 on any machine) the 
traffic is redirected by the redirection server 208 to vmw.widgetsell.com. Once this is done, the 
redirection server 208 will remove the rule set and the user if free to use the web unmolested. 

When the user logs out or discoimects from the system, the redirection server v^ll remove 
all remaining rule sets. 

15 In an alternate embodiment a user may be periodically redirected to a location, based on 

the number of other factors, such as the number of locations accessed, the time spent at a 
location, the types of locations accessed, and other such factors. 

A user's accoimt can also be disabled after the user has exceeded a length of time. The 
authentication accounting server 204 keeps Urack of user's time online. Prepaid use subscriptions 

20 can thus be easily managed by the authentication accounting Server 204. 

In yet another embodiment, signals from the Internet 1 1 0 side of redirection server 208 
can be used to modify rule sets being used by the redirection server. Preferably, encryption 
and/or authentication are used to verify that the server or other computer on the Internet 1 1 0 side 
of redirection server 208 is authorized to modify the rule set or rule sets that are being attempted 

25 to be modified. An example of this embodiment is where it is desired that a user be redirected 
to a particular web site until the fill out a questionnaire or satisfy some other requirement on such 
a web site. In this example, the redirection server redirects a user to a particular web site that 
includes a questioimaire. After this web site receives acceptable data in all required fields, the 
web site then sends an authorization to the redirection server that deletes the redirection to the 

30 questionnaire web site from the rule set for the user who successftiily completed the 
questionnaire. Of course, the type of modification an outside server can make to a rule;set on 
the redirection server is not limited to deleting a redirection rule, but can include any other type 
of modification to the rule set that is supported by the redirection server as discussed above. 

It will be clear to one skilled in the art that the invention may be implemented to control 

35 (block, allow and redirect) any type of service, such as Telnet, FTP, WWW and the like. The 
invention is easily progranuned to accommodate new services or networks and is not limited to 
those services and networks (e.g., the Intemet) now know in the art. 

It will also be clear that the invention may be implemented on a non-IP based networks 
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1 which implement other addressing schemes, such as IPX, MAC addresses and the like. While 

the operational environment detailed in the preferred embodiment is that of an ISP connecting 
users to the Internet, it will be clear to one skilled in the art that the invention may be 
implemented in any application where control over users* access to a network or network 

5 resources is needed, such as a local area network, wide area network and the like. Accordingly, 
neither the environment nor the communications protocols are limited to those discussed. 
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1 CLAIMS: 

1 . A system comprising: 

a database with entries correlating each of a plurality of user IDs with an individualized 
5 rule set; 

a dial-up network server that receives user IDs from users' computers; 

a redirection server connected to the dial-up network server, an authentication accounting 
server connected to the database, the dial-up network server and the redirection server; 

wherein the dial-up network server communicates a first user ID and a temporarily 
1 0 assigned network address for the first user ED to the authentication accounting server; and 

wherein the authentication accounting server accesses the database and communicates the 
individualized rule set that correlates with the user ID and the temporarily assigned network 
address to the redirection server. 

1 5 2. The system of claim 1 , wherein the redirection server further provides control over 

a plurality of data to and from the users' computers as a function of the individualized rule set. 

3 . The system of claim I , wherein the redirection server further blocks the data to and 
from the users' computers as a function of the individualized rule set. 

20 

4. The system of claim I , wherein the redirection server further allows the data to and 
from the users' computers as a function of the individualized rule set. 

5. The system of claim 1 , wherein the redirection server further redirects the data to 
25 and from the users' computers as a function of the individualized rule set. 

6. The system of claim I , wherein the redirection server further redirects the data from 
the users' computers to multiple destinations as a function of the individualized rule set. 

30 7. The system of claim 1 , wherein the database entries for a plurality of the plurality 

of users' IDs are correlated with a common individualized rule set. 

8. In a system comprising a database with entries correlating each of a plurality of 
user IDs with an individualized rule set; a dial-up network server that receives user IDs from 
35 users' computers; a redirection server connected to the dial-up network server, an authentication 
accounting server connected to the database, the dial-up network server and the redirection 
server, the method comprising the steps of: 

communicating a first user ID and a temporarily assigned network address for the first 
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user ID from the dial-up network server to the authentication accounting server; and 

communicating the individualized rule set that correlates with the user ID and the 
temporarily assigned network address to the redirection server from the authentication 
accounting, server. 

9. The method of claim 8, further including the step of controlling a plurality of data 
to and from the users' computers as a function of the individualized rule set. 



1 0. The method of claim 8, further including the step of blocking the data to and from 
1 0 the users' computers as a function of the individualized rule set. 

1 1 - The method of claim 8, further including the step of allowing the data to and from 
the users' computers as a function of the individualized rule set. 

15 12. The method of claim 8, further including the step of redirecting the data to and 

from the users' computers as a function of the individualized rule set. 

1 3 . The method of claim 8, further including the step of redirecting the data from the 
users' computers to multiple destinations a function of the individualized rule set. 

20 

14. The method of claim 8, further including the step of creating database entries for 
a plurality of the plurality of users' IDs, the plurality of users' ID fiirther being correlated with 
a common individualized rule set. 

25 15. A system comprising: 

a redirection server programed v^th a user's rule set correlated to a temporarily assigned 
network address; 

wherein the rule set contains at least one of a plurality of functions used to control the 
user's data; and 

30 wherein the redirection server is configured to allow modification of at least a portion of 

the rule set. 



16. The system of claim 15, wherein the redirection server is configured to allow 
modification of at least a portion of the rule set as a function of time. 

35 

17. The system of claim 15, wherein the redirection server is configured to allow 
modification of at least a portion of the rule set as a function of the data transmitted to or from 
the user. 
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1 18. The system of claim 15, wherein the redirection server is configured to allow 

modification of at least a portion of the rule set as a function of the location or locations the user 
access. 

5 19. The system of claim 15, wherein the redirection server is configured to allow 

modification of at least a portion of the rule set as a function of some combination of time, data 
transmitted to or firom the user, or location or locations the user access. 

20. The system of claim 1 5, wherein the redirection server is configured to allow the 
1 0 removal or reinstatement of at least a portion of the rule set as a function of time. 

2 1 . The system of claim 1 5, wherein the redirection server is configured to allow the 
removal or reinstatement of at least a portion of the rule set as a function of the data transmitted 
to or from the user. 

15 

22. The system of claim 1 5, wherein the redirection server is configured to allow the 
removal or reinstatement of at least a portion of the rule set as a function of the location or 
locations the user access. 

20 23. The system of claim 1 5, wherein the redirection server is configured to allow the 

removal or reinstatement of at least a portion of the rule set as a function of some combination 
of time, data transmitted to or from the user, or location or locations the user access. 

24. The system of claim 15, wherein the redirection server has a user side that is 
25 connected to a computer using the temporarily assigned network address and a network side 

connected to a computer network and wherein the computer using the temporarily assigned 
network address is connected to the computer network through the redirection server. 

25. The system of claim 24 wherein instructions to the redirection server to modify the 
30 rule set are received by one or more of the user side of the redirection server and the network 

side of the redirection server. 

26. In a system comprising a redirection server containing a user's rule set correlated 
to a temporarily assigned network address wherein the user's rule set contains at least one of a 

35 plurality of functions used to control the user's data; the method comprising the step of: 

modifying at least a portion of the user's rule set while the user's rule set remains 
correlated to the temporarily assigned network address in the redirection server. 
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1 27. The method of claim 26, further including the step of modifying at least a portion 

of the user's rule set as a function of one or more of: time, data transmitted to or from the user, 
and location or locations the user access. 

5 28. The method of claim 26, further including the step of removing or reinstating at 

least a portion of the user's rule set as a function of one or more of: time, the data transmitted to 
or from the user and the location or locations the user access. 

29. The method of claim 26, wherein the redirection server has a user side that is 
1 0 connected to a computer using the temporarily assigned network address and a network side 
connected to a computer network and wherein the computer using the temporarily assigned 
network address is connected to the computer network through the redirection server and the 
method further includes the step of:. 

receiving instructions by the redirection server to modify at least a portion of the user*s 
1 5 rule set through one or more of the user side of the redirection server and the network side of the 
redirection server. 
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